Spammers Love to Hurt Internet Users

Love is a many splendored social engineering tool and spammers are busy sending out a whole lot of their particular brand of love across the electronic universe.

An interesting blog post (Love Hurts) by Kevin Haley at Symantec points out that malicious code writers are busy spreading their work in attachments hidden in the millions of spam messages being spewed out by zombies (compromised computers). If you click on one of these attachments — and your machine isn't bulletproof — it also can become a zombie and used as part of a botnet to send out more spam. Botnets are groups of compromised computers used to form a super computer. Of course, downloading malware can also mean that all your personal and financial information will be stolen, too. Please note (as you will see below) that some forms of malware currently being sent out can do both.

Kevin's blog post came out at almost the same time Symantec issued it's monthly Spam Landscape Report. With Valentine's Day coming up, love is a predictable lure and it's probably a good idea to make sure you know who loves you before clicking on any links in an e-mail.

Another predictable finding in the report is that spam levels are continuing to rise to normal levels after they fell when McColo was shut-down. McColo (a Web service hosting provider) was shut down in November after it was discovered they were the source of a large number of botnets, which are used to send out spam. Last month, 79 percent of all e-mail was spam. The report also notes that the point of origin for spam is shifting a little. Although the United States is still number one, the number of active zombies in other countries is rising. While some of this is being attributed to McColo, the report points out that this might point to the fact that some of these countries have an increasing number of users accessing the Internet.

From a spam-commerce point of view, the report indicates weight loss products, counterfeit drugs, cheap watches and porn top the list of items available at super-cheap prices as Valentine's Day approaches.

Besides Valentine's Day, President Obama also continues to be used as a spam lure, according to the report. A lot of this spam contains malware with files names such as usa.exe, obamanew.exe, statement.exe, barackblog.exe and barackspeech.exe. The malware being spread in these spam e-mails is called the W32.Waledac, which is capable of both stealing sensitive personal and financial information and turning a machine into a zombie. It also establishes a backdoor to a machine so it can be remotely accessed.

Current events (and holidays) have been and probably will continue to be used as social engineering lures to snare the unwary.

Also noted was a rise in Russian spam hawking goods and services. With cheap long distance services using VoIP, the Russians have actually set up telephone numbers for their intended victims to call. My guess is that they will entice someone to send money, which can't be recovered when the person sending it discovers they've been scammed.

Chinese gambling spam is also mentioned as a new phenomenon in the report. It appears to be patterned after English language gambling spam, but is written in Chinese.

Last, but not least, Nigerian spam is mentioned. Nigerian or 419 spam is named after the section of the Nigerian penal code dealing with fraud. It normally is a come-on for lost riches or winning a lottery and has a lot of spelling and grammatical errors. Typically known as advance fee fraud, the victim is enticed in sending money across a border (wire transfer is preferred) to secure their fortune. Of course in the end, the victim never receives anything and is often left in financial ruin.

There are many twists to advance fee and one of them is to send a bogus financial instrument to a person with instructions to cash it. If the person doesn't get arrested for presenting it, they are instructed to send the money back to the scammer. Of course, the cashing institution eventually figures out the instrument is bogus and the victim is held liable for it.

A lot of people think that advance fee all comes from Nigeria, which isn't true. I've personally traced it to a lot of other places and called some of the telephone numbers. The person answering didn't sound Nigerian and I've spoken to a few people from Nigeria in my time. Naturally, this doesn't mean that scam activity is not coming from Nigeria and just that not all of it does.

Pam Dixon, of the World Privacy Forum, went on record recently that the spelling and grammatical errors aren't being seen as much in advance fee lures anymore. Obviously, advance fee scammers, wherever they hail from, are being more careful and have discovered spell check?

To close, the Anti-Phishing Working Group's recent report on phishing, which is delivered via spam, has noted that the number of crimeware-spreading URLs out there has increased 258 percent versus the same time period last year. It also noted a record high in the amount of hijacked and victimized brand names. Last but not least, it noted another record in the amount of malicious application variants being seen in the wild (on the Internet).

This would suggest that spam is getting more dangerous and the people sending it are becoming more sophisticated. The smartest thing to do with all spam is to delete it. Making sure your computer's security is updated with a known and reliable vendor is also a smart thing to do. After all, as I've speculated many times before, most fraud, phishing and financial misdeeds on the Internet start with spam.

0 comments

The $9 Million Electronic Robbery at RBS WorldPay

With the Heartland Data Breach still fresh in the news, word of a $9 million heist using data from another payment card processor (RBS WorldPay) has hit the air waves. RBS WorldPay reported in December that their payroll card system was hacked and 1.5 million financial and 1.1 million personal records were compromised. Payroll cards are used by employers to pay their employees by loading their pay onto a debit card.

A Fox News investigation has now revealed that on November 8th, a coordinated attack netted $9 million using cloned cards in 49 cities, worldwide. The attack occurred all over the United States, Montreal, Moscow, and Hong Kong in about 30 minutes.

Another scary aspect to this attack was that the hacker was able to remove the daily withdrawal limits of the cloned cards. According to the Washington Post, 100 cards were used and fake deposits were used to refuel the balance on the cards. Large withdrawals were then made again and again on the cloned cards. Please note this represents that a very small percentage of the total cards compromised were used in scheme. No information was available on how they refueled the accounts.

I've seen accounts refueled using bogus checks, however in this instance, I would suspect it occurred in a more electronic manner. This leads me to believe we will see more disclosures regarding this case as time goes on.

According to official reports, there are no primary suspects in the case. Photographs of some of "lower level soldiers" used to withdraw the money have been released in the hope that (if caught) they will provide information on the people, who provided them with the cloned cards. Unfortunately, with the anonymous nature of the Internet, coupled with the fact that chat-rooms are often used to facilitate the distribution of stolen data, the lower level soldiers might not know the identities of the main players, themselves.



In the recent Heartland breach, it was disclosed that they met PCI DSS (Payment Card Industry Data Security Standards). According to Visa's list of PCI DSS certified vendors, "RBS Lynk" (Royal Bank of Scotland) is certified. PCI DSS standards are the payment card industry's solution to protecting their data from being misused.

I also discovered that RBS World Pay and TrustWave put out a press release in 2007 announcing they were providing level 3 and level 4 merchants with a specialized data security service to identify their risks and vulnerabilities. The idea behind this service is to help these merchants become PCI DSS compliant.

Interestingly enough, TrustWave also certified Heartland in 2008, according to the article I read in Dark Reading.

PCI DSS has been criticized as being expensive for merchants and now we are seeing it compromised, too. The sad thing is that despite a lot of money being shelled out to become PCI DSS compliant, the people shelling it out seem to be just as vulnerable as they were before. In fact, someone might conclude that PCI DSS is giving everyone a faux sense of security (opinion).

As usual, in these cases, a class action law suit has been filed against RBS WorldPay. WorldPay has also announced the cardholders will not be held liable for the charges, according to the page on their site about this matter.

Thus far, according to all the sources I read, no identity theft has occurred. My guess is that because the 1.1 million people compromised are monitoring their credit, none will occur in the short-term. In most of the many breaches I've read about, very little of the information was used after the breach was disclosed. If you think about it, this makes sense because measures have been taken to make the information useless to criminals.

To close, I would like to add another thought. The fact that payroll information — which included personal information — was hacked might point to another example of how storing too much personal information in too many places is the root cause of the problem.

There has been a push to put everything from payroll to government benefits on payment cards. When this occurs, personal information as well as the financial data used to produce the debit card accounts is stored to process the transactions. Since employers (and the government) use vendors (card issuers) to accomplish this task, this means we have sensitive information being transferred to third parties. It wouldn't surprise me if these third parties transfer the information somewhere else when they outsource it, all over again.

Perhaps, what is needed is a common sense solution to the problem. As long as we keep sending information all over the place, it creates too many points where it can be compromised. The bottom line to all this is we appear to be making it too easy for criminals to take advantage of the situation.

The costs are getting out of control, too. Although I've never seen any information on how much of this is going on, the Washington Post quoted a source from the security industry (Ori Eisen, 41st Parameter) as stating $50 million was lost in one month in New York City alone last year.

I wonder if any of our bail-out (taxpayer) money is being used to cover these losses. Although, I can't say for sure, the people it was given to can't seem to say where it has gone, either. Granted, it might be a long shot, but the money had to be given to cover losses caused by people who were a little too greedy in the first place. We need to wake up and realize that there is no free lunch and the costs of all these types of scenarios are passed to all of us when history is written.

There is no such thing as zero fraud liability!

0 comments

Increase in Scams Attributed to Economy

I just finished reading an interesting article in the Wall Street Journal by M. P. McQueen, which suggests that the bear market is creating a bull market for fraudsters. According to the numerous experts cited in the article, the reason for this is economic gloom and doom with a healthy dose of anxiety.

This shouldn't be surprising because gloom, doom, and anxiety make effective social engineering tools that can be used to part people and businesses from their money.

The article references phishing expeditions that lead to fake Web sites — which often spoof a financial institution or government entity — and entice people into giving up enough of their personal details to drain their financial resources. It also mentions that some of these sites leave behind malicious software on a person's machine, which steal all these details automatically.
Also mentioned is the use of VoIP (Voice over Internet Protocol), caller-ID spoofing and cell phone technology to mount texting and vishing attacks. Vishing is merely another method of tricking people to give up personal and financial information via the telephone. In these attacks, the caller ID is spoofed to make it appear as if it is coming from a legitimate institution.

Apparently telephone technology is being used to commit other types of crimes, too. Many of our 911 centers cannot identify spoofed calls coming from computers using VoIP technology. This has led to S.W.A.T. teams being tricked into deploying in full battle gear to residential neighborhoods when no emergency existed. Of course, businesses use the same technology to trick people who have caller ID into picking up their telephones. You can even buy a card to do this at will from any telephone right over the Web.

It sometimes amazes me how much irresponsible technology there is out there, which is being sold legally. There are even Web sites, with disclaimers, that specialize in making this technology available to the general public. Of course, there are also complete DIY (do-it-yourself) phishing kits being sold over the Internet. Some of these even come with tech support. The phishing kits are illegal, but can be found for sale in chat rooms if you know where to look for them. Sadly, the truth is that these chat rooms aren't very hard to find. The fine line between legitimate enterprise and scams is often a little blurry.

The WSJ article quotes a lot of experts, including Gartner, the FBI and the National White Collar Crime Center, who all seem to agree that scams are on the rise. An interesting phenomenon called out were small fraud charges being found on accounts. I guess taking small amounts, which might be mistaken for bank fees, is a good way to stay under the radar. A lot of people don't realize how many small fees are being charged to their account and it can be quite confusing at times. I guess the crooks are trying to make themselves look like bankers (speculation) and it's probably a good time for all of us to review our statements, carefully.

Speaking of fees, which are used as revenue streams by a lot of businesses, the WSJ put out another article this entitled, "In the Fight Against Bill Creep, Every Extra Fee Is the Enemy." Besides being on the look out for cyber scammers, this article points out other reasons it is smart to review our financial statements with a keen eye these days.

Another notable trend in the past 12 months is executives being targeted. In this trend, specific people within organizations are being targeted and tricked into downloading malicious software on machines. In one of these scams last April, the targets were led to believe they were being subpoenaed to testify in federal court.

Last, but not least, the article points out that job scams are on the rise. It's a well established fact that job sites from Monster to Craigslist have scammers operating on them to recruit people to launder money, cash bogus financial instruments or give up all their personal and financial information. Adding fuel to this fire, it was disclosed recently that Monster.com had been hacked.

Capping off this interesting article — which is a pretty good recap of recent scam activity — is Pam Dixon of the World Privacy Forum pointing out that scammers have learned how to use "spell check." In the past, one of the best ways to identify a scam was it's lack of proper spelling and grammar. While the scammers might have have learned to use spell check, it might also point out that there are more and more people out of work (with better grammar skills), who are becoming scammers.

The WSJ quoted a lot of experts that agree with them that scam activity is on the rise. Another interesting read supporting this (not mentioned in their article) is the recent report that was commissioned by McAfee. This report points to all the unsecured data out there that is fueling the rise in cyber crime. They estimate, at this point, that the financial implications have reached $1 trillion. They also have some interesting information about social engineering and how it is being currently used to commit scams in the current economic environment in another set of articles on their main site.

In my opinion, it makes sense that scams of all kinds are on the rise. There is a lot of confusion going on and people are getting desperate. It might be desperation that is causing more people to get involved in scams on both sides of the fence. For the majority of us, who just want to ride these times out and survive the mayhem, the best thing to probably do is be extra diligent in our financial matters and use a little good old fashioned common sense.

Having dealt with a few scammers in my life, I've found that most of them aren't the most intelligent people around. The best thing to do is to think carefully before jumping in anything of a financial nature these days.

0 comments

Will Heartland Become the Largest Data Breach in History?

According to a press release from Heartland Systems, a payment card processor, their data has been being compromised since sometime last year. On the site, Heartland set up to cover the incident, it says they promptly notified the Secret Service and hired two teams of forensic computer investigators to look into the case after they discovered their systems had been compromised.

Heartland was initially notified by Visa/Mastercard of suspicious activity, which led to malicious software being discovered in their system. The malware in question was harvesting and (obviously) transmitting data. In the press release, they state they believe the breach has been contained. Heartland claims no merchant data, social security numbers or unencrypted PINs were compromised. They were also quick to add that their check management systems, Canadian payroll, campus solutions, micropayments operations and recently acquired Network Services and Chockstone processing platforms had not been compromised, either.

It should be noted that in previous breaches, additional items were later discovered to have been compromised as the investigation progressed.

Brian Krebs at the Washington Post interviewed Robert Baldwin, Heartland's president and chief financial officer, who stated they don't know how many transactions were compromised. In the interview, Baldwin pointed out that since the card numbers compromised didn't have address information; it would be hard for fraudsters to use them in card-not-present (e-commmerce) transactions. Most e-commerce platforms validate the address tied to the card as a security measure. I thought about this for a second and remembered that Visa/Mastercard had warned Heartland about suspicious transactions. If there were suspicious transactions, I would deduct someone is using this data to commit fraud. Besides that, I doubt anyone sophisticated enough to pull this off would go to all this trouble (and potential legal exposure) if they couldn't use the information to make money. This is another thing that might suggest additional information will be discovered as the investigation progresses.

In the interview, Baldwin declined to name any of their customers, who were compromised. Heartland processes payments for about 250,000 customers and processes about 100 million transactions per month. He also said they will not be offering identity theft protection since not enough information was stolen to commit identity theft.

On the Truston blog, Tom Fragala, aptly pointed out that this equates to four billion transactions a year. Many are speculating that this will turn out to be the largest known data breach in history. Tom's company, which offers a privacy-friendly identity theft prevention and recovery service, offers a 45 day free-trial of their services. Even after the 45 days, the prevention part of the service is free.

Tom blogs on matters like this and wrote an interesting article pointing out the consumer protection features of debit and credit cards. Please note, debit cards offer less protection. The point is that if a card owner doesn't discover the fraud in a specified time period, they can be held liable for the financial loss. It's probably a good time for everyone to pay attention to their statements, carefully.

Given the mandatory notification laws, which have been passed in almost all 50 states, this is going to equate a lot of people that have to be notified. Simply stated, it's going to be a "notification nightmare." It should be noted that shutting down all the compromised cards and notifying victims is a substantial cost in any data breach.

SC Magazine also covered the story and got a quote from Rich Mogull, founder of IT security consultancy Securosis, who pointed out there is a trend of malicious software being planted somewhere in the processing system in all the high-profile data breaches seen in recent history. TJX (94 million cards compromised), Hannaford and CardSystems (40 million cards compromised) are all being cited as examples.

According to Visa, Heartland was validated as Payment Card Industry Data Security Standard (PCI DSS) compliant on April 30, 2008. They then stated this status was being reviewed. Trustwave is Heartland's PCI assessor. Hannaford was PCI compliant at the time they were compromised, also. According to the article in SC magazine, TrustWave wouldn't return calls to comment on this.

On the Heartland site, it mentions they are a founding supporter of the Merchant Bill of Rights, which advocates for and educates merchants on fair practices when they accept payment cards. Two of the biggest heartaches for merchants accepting payment cards are the interchange fees and becoming PCI compliant, which is considered an expensive process. Interchange fees are a tariff charged by the credit card companies on every transaction and according to the critics are not very equitable. Estimates have been made in the past that they equate to $30 billion in extra fees added to the cost-of-goods sold with payment cards, yearly. Ultimately, these are costs are often passed on to the consumer.

So far as PCI compliance — which now seems to have been proven ineffective in at least two instances — the National Retail Federation has responded by going on record to challenge the card issuers on their requirements to store data. Because of the cost, a lot of merchants have been slow to adopt PCI data-security standards and the merchants who are not in compliance face fines by the payment card industry.

Storing this data is required to prevent the third headache merchants face when accepting payment cards, or what is known as chargebacks. Chargebacks are when transactions are charged back to a merchant account because of alleged fraud. The NRF contends that being forced to maintain the data to protect themselves makes it easier to compromise.

Heartland is being challenged for releasing this information during the inauguration, when it was less likely to be a hot story. Although this seems to be the case, we need to realize the stakes in data-breaches are high. In the last breach involving a card processor (CardSystems), the card-issuers stopped doing business with the company and the end-result was the company is no longer in existence. Also, it should be pointed out that Heartland wouldn't be the only company that seemed to be very cautious when disclosing the fact that their data was compromised. Once disclosed, there is little doubt that the company in question faces some extremely unfavorable public exposure.

On a closing note, data breaches continue to occur at alarming rates. All sides of the equation need to come together and figure out solutions that work. One of them might be to upgrade the plastic to chip and PIN technology, which has become the standard in other countries. Nigeria was the most recent country to mandate this technology. While this might not directly stop data breaches, it would make it a lot harder to counterfeit the plastic, which is what the criminals use to cash-out the proceeds of data breaches with.

The other problem is that credit card fraud has been made too easy to commit. Card data and the tools to produce counterfeit cards are easy to obtain and even sold in chat rooms. A lot of this technology can also be bought on (what I consider) questionable sites, including eBay. Very few of these fraudsters get caught and because of this; it appears that the activity is getting more and more organized. Historically, the cost of all this seems to have been written off as a cost of doing business. In reality, a lot of these "costs" are passed on to the consumer in the form of higher interest rates and fees.

My prediction is that with the state credit is currently in with the sour economy, coupled with the increase in criminal activity, we are getting to the point where it is going to be hard to simply write-off all the financial costs. Until we start punishing the criminals effectively for this type of activity, it is going to continue to grow and probably prosper.

Update 2/13/09: It appears that the first arrests in the Heartland Data Breach have been made in Leon County, Florida. Three men (Tony Acreus, Jeremy Frazier and Timothy Johns) were encoding numbers stolen in the breach on gift cards and using them at Walmart.

The official press release from the authorities credits Walmart for supporting the investigation.

While it's great a few people got caught -- this probably only accounts for a small amount of the stolen data. My guess is that our three fraudsters bought the numbers via anonymous sources (probably on the Internet).

0 comments

Fake Obama Site is a Malware Booby-Trap

Over the weekend, I got an e-mail from my Mom warning me not to open any e-mail with the title "Obama Acceptance Speech" because it contained a trojan. It even cited Snopes as stating that the threat wasn't a hoax. I sent her a reply referencing the last post on spam I did, which had a paragraph about Obama spam on it. My point was anyone who thinks there is only one e-mail of this type is out there is probably sadly mistaken.

On Sunday, with the inauguration less than 24 hours away, I got a hot tip that the Symantec Lab had detected another round of Obama spam with malicious intent being sent across the electronic universe. Zuftikar Ramzan announced on the Symantec Security Blog that this latest round of Obama spam uses lures with titles like "Our new president has gone," "Obama refused to be the president of the United States of America," and "There is no president in the USA anymore and Obama has gone."

Zuftikar also mentioned a link in these e-mails (removed for safety reasons) leading to a faux website that looks amazingly similar to the official Obama-Biden site. The fake site can be seen below:



This fake site attempts to exploit weaknesses in a Web browser to install malicious software without the owner's knowledge. According to Zuftikar, the page and its links all have malicious software on them. In other words, the entire site is literally a virtual booby trap.

The files are titled usa.exe, obamanew.exe, pdf.exe, statement.exe, barackblog.exe and barackspeech.exe. While the titles might be different, they lead to the same variety of malware known as the W32.Waledac. This malicious software is capable of stealing sensitive information, turning your machine into a spam-spewing zombie and leaving a back door for a hacker to gain access to it.

Political themes have been used a lot in recent times to lure people into clicking on links in spam e-mails they shouldn't have. Other common lures include the old fashioned too-good-to-be-true, security and badge-of-authority types (IRS, FBI, CIA, etc.).

With tax season upon us, expect the IRS to be a common one used in the near future.Symantec does provide removal instructions for this malware on their site, but most of us are far better off by not clicking on this type of stuff in the first place. These e-mails are sent out by the millions and the best thing to do is hit delete before opening them up.

0 comments

Inauguration Security Sets a Record by Itself!

The inauguration of the forty-fourth president, Barack Obama, will have a security force larger than what is currently deployed in Afghanistan to ensure it is a safe and sane event. The human resources securing the event will include Secret Service personnel, almost 30,000 National Guard troops, close to 1,000 FBI personnel, 8,000 police officers, TSA screeners and other more obscure assets.

The security assets deployed for this event are so numerous, I had to read several mainstream news articles and press releases just to try to determine how many agencies were involved. Even after doing this, I would guess there are some that are not being publicly disclosed for good reasons.

Michael Chertoff, Homeland Security Secretary, will be on-hand himself and operating from a multi-agency command center. The command center will have representatives from 58 federal and local agencies. These representatives, who will all be in the same room, will give those involved in the event the ability to instantly communicate with each other.

The command center is live as of this writing and will remain in operation until 4:00 p.m. (Eastern Standard Time) on Wednesday. This is, of course, unless something happens and it needs to remain in operation longer.

Chertoff believes this will be the most complex security event ever mounted, but also mentioned to CNN that he is worried about the cold weather and the impact it might have on unprepared visitors. We need to remember that a lot of unfortunate things can occur when a mass of human beings gather. Unlike most of Bush's administration, Chertoff will remain on duty until after the inauguration is over.

An official press release from Secretary Chertoff, District of Columbia Mayor Adrian M. Fenty, Maryland Governor Martin O’Malley and Virginia Governor Timothy M. Kaine on the inauguration can be seen on the DHS site.

I found more information about inauguration security on the Secret Service site, which states that the FAA (Federal Aviation Administration) will be stepping up security on the air corridors around DC and the Coast Guard will patrol on the Potomac. It also mentions that the police involved will be from the Washington Metropolitan, Park and Capitol departments. If you are attending the event, or live in the area, it has a list of road closures that will be in effect during the inauguration.

The FBI is deploying lot of high-tech security devices including mobile command centers, mine-resistant ambush-protected vehicles, bomb containment vessels and bomb technician vehicles, which resemble a mobile-home.

Mine-Resistant Ambush-Protected Hummer

In addition to the high-tech specialty equipment being deployed by the FBI — they will have a SWAT Team, Hazardous Materials Response Team, Bomb Technicians, an Underwater Search and Response Team and Crisis Negotiators — at the ready to handle a crisis scenario.

Mobile Bomb Containment Vessel

The military personnel — who will be mostly National Guard troops because of a law that prohibits active duty personnel from engaging in domestic law enforcement duties — will have assignments in the events, also. These include providing bomb sniffing dogs, NBC (Nuclear, Biological and Chemical) teams, transportation and communications units.

According to all of the officials involved, there is no specific threat they are worried about. Although some of the pundits are complaining that the security for this event is too intense, the proof in the pudding will be allowing them to claim they were right after it is all over. If that is the case, nothing will have happened and these measures will have accomplished their goal!

0 comments

How Foreign Crime Gangs Establish Their Identities

A Washington Post story about a Korean organized crime ring -- operating within driving distance of our nation’s capital -- reveals how these groups are involved in a wide-variety of criminal enterprises designed to create illegal revenue flows. It also shows how foreign criminals establish themselves and operate within our society.

The problem isn’t people trying to make a better life for themselves, the problem is that criminals are able to easily manipulate the security of our borders. There is even a good example in the story of how illegal immigrants are routinely victimized. In order to pay back their debt for being brought in illegally -- they were working in a sweatshop located in a middle-class residential neighborhood — producing counterfeits of designer labels.

On a side note, according to the International AntiCounterfeiting Coalition, counterfeit merchandise is a $600 billion a year problem in itself.

The story, written by Tom Jackman, of the Washington Post details an undercover investigation that starts with manipulating cigarette taxes and progresses into identity theft, mortgage fraud, money laundering, counterfeiting and even murder-for-hire.
The initial scheme with the cigarettes involved buying cigarettes in Virginia — which has a 30 cent per pack tax -- and transporting them to New York where the tax runs $4.25 a pack. Like the designer clothing being knocked-off (counterfeited), the tax stamps were counterfeited. According to an ATF agent quoted in the story, this equates to billions of dollars that have “gone missing” in tax revenue.

The identity theft and resulting crimes, such as mortgage and credit card fraud, were discovered when undercover agents were introduced to an individual selling social-security numbers and passport information obtained from Chinese nationals working in the Marianas Islands. This information was then used to establish credit and obtain identification to make the members of the gang appear to be legitimate members of our society.

The investigation also uncovered a dishonest DMV employee in Illinois, who was providing identification to members of the group. These documents were then traded in for identification from other States. In this case, the State was often Virginia. This sent shivers up my spine as I remembered that Mohammed Atta and crew used Virginia, Florida, New Jersey and California driver’s licenses' — which were obtained after they entered the country with counterfeit documents – to board the planes in what became 9-11.



In the past, I’ve written about and spoken to Suad Leija and her husband, who have been working with the government to expose a cartel that operates throughout the country providing counterfeit identification documents. They have dubbed these documents, “Paper Weapons” because they can be used to commit crimes or even achieve radical political objectives. Suad’s story has been covered in the mainstream media on a fairly regular basis. According to the conversations I've had with Suad and her husband, most of the people illegally entering the country use what are known as "feeder documents" to establish themselves. Their eventual goal is to establish an identity that appears to be as legitimate as yours or mine. Once they accomplish this, the identities can be used to establish credit and even get a mortgage.

In the Washington Post story, no mention of direct fraud involving a financial loss is mentioned. The intent seems to be to use the identities to establish a "seemingly" legal status and then commit other crimes. The story mentions that the group offered to help launder the illegal revenue being made from selling the cigarettes. This was done with personal and cashier’s checks, which suggests the identities were also used to open bank accounts.

These fraudulently established identities were also being used to buy real estate. Although no direct financial fraud is mentioned in the article, it wouldn’t be very hard for people doing this to get some home-equity loans, cash them out and disappear. They could do this if they were leaving the country, or simply move on to another identity and do it all over again. Given that we are in a pretty severe recession, sparked by a mortgage crisis, it again made me wonder how much of it might have been caused by fraud that we aren’t even aware of?

When the sweat shops were raided, crack pipes were found. This was probably to keep the people working in them in a state of addiction, which would assist in keeping them under the control of their keepers. Abuse of illegal immigrants is well-documented and this is probably only one of many examples going on throughout the country at this very moment. It isn’t unknown for illegal immigrants to be forced into smuggling drugs, committing financial crimes or even becoming prostitutes.

This is just one example, but a good one, of how insecure our borders really are. It also shows the more severe consequences of allowing identity theft to run rampant in our society. Now that the election is over, perhaps it’s time for our politicians to stop ignoring the problem. We are a nation of immigrants, and in the end, very few of us are against hard-working people trying to better themselves. The problem is that the way we currently approach the problem enables criminals (and potentially terrorists) to operate and profit at the expense of society.

0 comments

Spam Levels on the Rise, Again

With the shutdown of McColo by Internet Service Providers in November, global spam volumes dropped over 50 percent. Sadly, this appears to have been a short-term fix. According to a new Symantec report, the spammers have moved to new locations and the volumes are back up to 80 percent of pre-McColo levels.

While spam originates from a lot of places, the United States is still in the number one spot, with 27 percent of the spam observed originating from there. China and Brazil tied for second place with 7 percent of spam originating from these countries.

The report indicates that URLs in Canadian Pharmacy spam messages were noted as being top-level Chinese domains (.cn TLD). Could this mean that Chinese knock-off (counterfeit) prescriptions are trying to make it appear as if they are coming from Canada? Given the recent concerns of tainted and poisonous merchandise being exported from China, this might be a concern. Of course, I would think that buying prescription meds over the Internet should be a concern to most people, anyway.

In another variation of recently observed spam, a user is invited to join a social networking site. The link goes to a real group, which was created on the social networking site by the spammer. The group then links to a free blogging site, which redirects the victim to the ultimate destination URL. At the destination URL, personal information is requested, which is probably used to sell to marketing companies or used in other spam campaigns. Please note, although not mentioned in the report, that some of these campaigns might have malicious intent or be scams.

Also noted during the holiday season was a lot of e-Card spam. This spam sometimes comes with malware (malicious software) designed to steal personal and financial information or turn your machine in to a spam spewing zombie computer using your credentials.

A partcularly deceptive spam delivery method noted recently is spammers inserting their messages into legitimate newsletters. This method seems to get past spam filters pretty effectively. If the recipient clicks on the message, they are taken to a spammer site. Here again, it might be a site selling junk, but also could be a site with more malicious intent.

Another spam trend in vogue these days is to use the recession as a social engineering lure designed to get people to click on a spam link. Messages are being sent out in the millions touting easy bail-out money to be had and an assortment of the normal get-rich- quick schemes. If it's too good to be true and doesn't make sense, it's normally a scam, and I suspect that most of this type of spam is one.

Last but not least, the spammers are still using President-elect Barack Obama's name to market coin offers, a "Barackumentary DVD" and a free Visa card for helping the Obama clan pick their dog.

Shutting down McColo by reaching out to the ISPs — which was done largely through the work of Brian Krebs at Security Fix (Washington Post) -- showed that a significant impact can be made on spam when ISPs are held accountable. Given that Brian is one person and a journalist, this was an admirable piece of work. The fact that spam is approaching pre-McColo levels tells us that there are more ISPs that need to be held accountable. Maybe in the end, government and international agencies need to follow Brian's example and and make an impact on spam levels that will last a little longer.

Spam is a dangerous pain for everyone who uses e-mail. Most scams, questionable goods and services and cyber-attacks using malicious software start with a spam e-mail. Shutting down the spam operators can only make everyone's experience on the Internet a little more safe and sane.

0 comments

Twitter Users (Including Barack and Britney) Hacked and Phished

The Phishermen (and probably a few women) are always looking for fresh waters to hook some unsuspecting phish — so it should be no surprise that Twitter is their latest target. After all, e-mail, cell phones, and Facebook have already been phished, along with countless desktops and laptops.

According to a Symantec blog post, Twitter users are receiving warning messages from Twitter command and control about this matter. The blog post by Marian Meritt, the Internet Safety Guru at Symantec, gives blogger Chris Pirillo credit for breaking the story on Saturday. According to the blog post at Symantec, the messages appear to come from someone you know at Twitter with a link to a malicious website designed to steal information.

Twitter also put up a warning on their blog. It starts with a Wikipedia definition of phishing and then details how the phishing attack will come in the form of an e-mail message notifying a person they have a Twitter Direct Message. Thus far, the social engineering lures being used in the e-mail go something like this: "Hey! check out this funny blog about you..." and direct the user to click on a link to a fake website.

They also point out that if you look at the URL you'll see that it is not the same as the URL for the normal landing page for Twitter. A trick to do this (without clicking on the link) is to hover your mouse pointer over the link. If you look at the bottom left portion of your page it will display the URL the link goes to. With all the malware people can get nowadays by just visiting (driving-by) a malicious page — this is a much safer way to go about it rather instead of actually clicking on the link to find it.



Twitter blog picture showing where to look for a suspicious URL

Authentic looking phishing sites aren't hard to create. Often the hacker merely copies the pictures of a legitimate site and puts them on a compromised (hacked) site so the activity can't be traced back to them. Hackers frequently seek out sites with poor security to compromise and put up their own (malicious) site.

Also contained in the blog entry are instructions on what to do if you've been phished. Basically, they direct you to their password reset tool and a legitimate e-mail will be sent to you so you can change your password.

Interestingly enough, Twitter also reported this morning that 33 prominent Twitter-ers were hacked over the weekend. Apparently, the notables included President-elect Obama, Rick Sanchez, and Britney Spears. According to Twitter, this attack has nothing to do with the phishing expedition into their waters. Apparently, someone hacked into some of the tools their support team uses to help people with their e-mail.

They also pointed out that Mr. Obama hasn't been twittering lately due to issues with the transition.

0 comments

Richardson Steps Down Because of a Scandal - What Else is New?

In the second scandal in recent weeks — where palms were allegedly greased to gain political favor — New Mexico Governor Bill Richardson has announced he is withdrawing his nomination to be President-elect Barack Obama's Commerce Secretary because of a grand jury investigation into how one of his political donors won a lucrative state contract.

The first scandal in recent weeks was, of course, Illinois Governor Rod Blagojevich allegedly attempting to sell President-elect Obama's recently vacated Senate seat.

The federal grand jury is investigating how a California company, which contributed to Richardson's campaign, won a $1 million transportation contract.

Governor Richardson — who like Governor Blagojevich is not stepping down from his position as governor — has stated he is confident the investigation will reveal he acted properly in the matter. His rationale, as stated in this Washington Post article, is that the investigation could take a long time and he doesn't want to get in the way of important work that needs to be done.

President-elect Obama accepted the resignation with deep regret and cited Richardson's long history of service to the country, both at the state and the federal level.

The federal grand jury investigation in question was announced in mid-December and revolves around whether or not CDR Products was awarded a 1.4 million contract after making contributions to Richardson's political action committees. The contributions of $100,000 were made in 2004 by CDR (based in 90210, Beverly Hills, CA) shortly before they obtained the contract.

Reports indicate that this case is part of a larger one involving the FBI's investigation into "pay to play" practices involving governent bonds. In another part of this investigation, the mayor of Birmingham, Alabama, Larry Lanford, has been indicted for taking hundreds of thousands of dollars in gifts and loans that led his city into bad investments and ultimately, bankruptcy.

Al.com just reported that corruption has dominated the news in Alabama in recent history. In a telling statement, the article noted that corruption deserved top billing in 2006 and 2007, also. Alabama Governor Don Siegelman continues to try to overturn his 2006 conviction on bribery charges, and their Chancellor, Roy Johnson, plead guilty in a federal investigation of corruption in the state's two-year college system.

The sad thing is that politicians being charged and convicted of fraud are becoming too common. From a congressman allegedly getting caught with $100,000 in his freezer, to a senator allegedly accepting $250,000 in gifts from an oil company executive — I sometimes wonder if I am living in a foreign land, where we would expect this to be the status quo. Please note, there are many more examples of public figures getting caught with their hands in the cookie jar in recent history. Please note also that the incidents of alleged corruption involve leaders of different political affiliations.

As we are only days now from President-elect Obama's administration taking office, we face the worst financial crisis since the depression. Not only are we experiencing a financial crisis, but many believe our nation is severely divided; and to top it off, we are at war.

President-elect Obama has spoken out many times on the evils of special interests and lobbyists, who seem to be able to control our government's destiny. Even after Wall Street laughed all the way to the bank (for years) when the mortgage crisis was created — it seems we are being held hostage to bail them out or face even more severe financial consequences.

Change is what is needed and hopefully that is what is about to occur. On his transition website, President-elect Obama is encouraging open government and soliciting us all to write in with our own ideas. I think this a good thing and we all should do it. Our nation was founded in part because of taxation without representation and if you think about it, an argument might be made that this what we've been seeing in recent history.

During the election, I struggled a lot with how to cast my vote; my uncle (who is a huge Obama advocate) sent me a YouTube video about Obama set to John Lennon's song, Imagine. For those of us who still remember his music, Lennon had another song called Gimme Some Truth. What we need now is to imagine our leaders are there for us and to stop finding reasons to lose faith in them.

0 comments

Fraudulent Checks Too Profitable for Criminals

Fraudulent checks, bank drafts, money orders, travelers cheques and gift cheques seem to be showing up all over the place. While a portion of these are passed by professional criminals — who sometimes recruit people off the street to pass them — a lot of people are being tricked into cashing them because they believed a (too good to be true) money-making opportunity.

Unfortunately — with the current state of the economy — people seem to be falling for the too good to be true scam opportunities more and more frequently.

Even though the quality of these fraudulent instruments varies, many of these counterfeit items are now produced with magnetic ink that scans. High quality check stock complete with the latest security features can be purchased in office supply stores or on the Internet. This means they scan through most of the readers in point of sale systems at businesses. When used with a real account number, which is why counterfeiting works, these items can be difficult to detect as fraudulent.

The increase in counterfeiting isn't limited to checks. Complete sets of counterfeit documentation are being presented at banks to open new accounts. A small amount of money is put into the account so funds verify on an individual check and then an area is plastered with a lot of checks. Sometimes this is done over the weekend and the funds put in to verify the checks are removed the following Monday. The identities used to pass these checks are often stolen. Since the identities and checking accounts are changed frequently to avoid detection, it's difficult to tie all the activity back to one group or person.

Frequently, people who are down-and-out are recruited to pass these items after receiving a promise for a few quick bucks. If they are caught they are normally considered "expendable" by the people behind the schemes. Sometimes, they even do this using their own identities.

It should also be noted that the groups opening fraudulent accounts and counterfeiting checks also set up phony numbers and even business addresses that get listed in 411 and on information sites fairly easily. Most people would be amazed at how easily they accomplish this because little to no verification is done by the companies listing these numbers. This is also done in a lot of the Internet-related scams and it is not uncommon for them to list a number to a financial institution that isn't real. When they set up these numbers, while the scam is active, they have people answering the lines. Often, if you listen carefully, it's pretty obvious that it is not a legitimate business and sometimes calls are forwarded to cell phones.

Another growing phenomenon is that fewer and fewer banks verify funds when businesses try to find out if a check being presented is good. In this instance, privacy laws and fear of litigation probably have enabled the problem to get worse. A lot of businesses use computerized check verification services, but when stolen identities are used, the checks pass through these systems fairly easily. Even worse, after the check is determined bad and the data goes in the system, innocent people are pegged as passing bad checks.

These checks often returned by the bank for “non-sufficient funds" because they aren't aware the account was set-up with fake information. Eventually the account is closed by the bank, but by this time the damage is done. Since banks frequently don't investigate thoroughly enough to determine the account was set up with fake (often stolen) information, it is never identified as fraud. The exception might be when the bank takes a loss, but more frequently they pass the losses to the entity cashing the check.

It's almost impossible to get anyone prosecuted criminally for non-sufficient funds/account closed cases, which means there is little fear of getting caught in this type of scam. Privacy laws also make it difficult for anyone outside the bank to investigate individual cases. In most cases, law enforcement needs a subpoena, which take time and effort to obtain. Given the resources available at most white collar crime units and the amount of fraud, it often seems like the system is ripe for manipulation by criminals.

Technology and the anonymous nature of the Internet have made check fraud grow substantially. All the necessary software/hardware needed is available right for sale at merchants that sell software and office supplies and on the Internet, itself.

There are also Web sites that appear to be dedicated to providing all the materials to commit fraud despite disclaimers that the items are for educational purposes only. One example, of one of these sites is called HackersHomePage. If you take the time to look at this site — you will see that the the items for sale on this site might enable someone to commit a lot more than simple check fraud.

Another growing phenomenon over the past several years has been the sheer number of counterfeit instruments being passed for a “too good to be true” money making scheme. These schemes, which normally don’t make sense, normally involve secret shopper job opportunities, offers to become a financial representative, auction deals and of course, winning a sweepstakes or lottery.

These scams lure people via spam e-mails, which are sent by the millions, daily. Once someone makes contact with the unknowing victim, they are shipped bogus financial instruments to cash. Along with the bogus financial instrument to be cashed there is a letter instructing the victim to wire the bulk of the money (normally over a border) back to the location of the scammer. Another twist in these money making schemes is to buy small and expensive items, normally electronics or jewelry, and ship them (again) normally overseas. A lot of eBay and Craigslist sellers get taken by these schemes.

From the botnets spewing the spam e-mails out in the millions to the counterfeit checks being sent by the parcelful all over the world, there is little doubt that some pretty organized criminals are behind this activity.

In 2007, an International Task Force monitored the mail in Africa, Europe and North America and intercepted billions of dollars worth (face-value) of counterfeit checks.

The coordination across International borders in these scams is pretty amazing. In any individual scam, the e-mail can come from one country, the checks from another and the request to wire the money to a third.


(Picture of checks intercepted in the mail)

There is also a trend where opportunists receive these items, cash them and keep all the money for themselves. If caught, they pretend to be a victim. If no attempt is made to wire the money to an exotic locale, they are probably in the scheme for their own personal gain. It isn't hard to look in just about any inbox or spam folder, reply to the right e-mail and have all kinds of bogus financial instruments shipped whatever address a person wants.

The first step to recognizing these scams is to understand how they work. Most if not all of the reasons these checks are being presented aren't going to make sense to a reasonable person. The cliche is that they are too good to be true and they normally are.

The best places for potential individual victims to learn how not to be taken are FakeChecks.org and OnlineOnGuard.gov.

A good resource for businesses and other public entities to learn about check fraud is the National Check Fraud Center.

In closing, the sour economy is probably fueling an increase in all kinds of fraud. The bottom line is that individuals and businesses are being ruined by it. When it comes to businesses, any dollar lost to fraud normally equates to a dollar off the bottom line. So far as the individuals being victimized, cashing these items can lead to being financially ruined and even arrested.

The best defense against becoming a victim is to know how these scams work. After all, very few people become victims when they know they are being ripped-off!

0 comments

Who Hacked the Halls of Congress?

Came across an interesting story about the halls of Congress being hacked in October 2006. Although no one knows or is saying, some speculate that the attack can be traced to the Chinese, who seem to get accused of hacking into a lot of government systems (worldwide). Of course, the Chinese officially deny these allegations.

Shane Harris of the National Journal reported the attack was initially discovered in one office, but cyber-investigators eventually traced it to eight members' offices, where one or more computers were infected. Besides this, seven committee offices, including the Commission on China, Ways and Means and the International Relations Committee were identified as having compromised computers in them. The International Relations Committee (now the Foreign Affairs Committee) had 25 infected computers and an infected server found in it.

The virus discovered was a trojan designed to allow malware (malicious software) to invade government machines and steal information. The investigation revealed that the trojan was probably downloaded by an employee, who clicked on a link in a spam e-mail. This method of dropping a virus on a computer is usually referred to as Phishing.

Phishing attacks are normally designed to steal personal and financial information, which is later used to commit financial crimes and identity theft. While most phishing attacks (from a historical perspective) have been financially motivated, we are now seeing more person/position-targeted attacks. This type of phishing is referred to as spear phishing or whaling. In April, there were reports of spear phishing attacks against corporate executives all over the country.

The unidentified hackers used a wide-array of attack methods and the malware was downloaded from random Internet addresses. It's suspected they were using other infected machines to launch the attacks, which makes the activity even harder to trace. In this latest instance, it makes sense; the intent was to steal confidential and sensitive information.

The article points out that there is a lot of evidence that the Chinese have "penetrated deeply" into both government and corporate systems.

Just hours before the Olympics, Joel Brenner, the top U.S. counterintelligence official, warned Americans to leave their smart phones and other wireless computer devices at home. He told CBS News that the public security services in China can turn on a cell phone and activate its microphone when the owner thinks it's off. In July, Senator Sam Brownback also warned that China was planning to mount a massive espionage operation on guests staying at major hotels during the Olympics.

Last year there was speculation in the press that Commerce Secretary Carlos Gutierrez's laptop was hacked during a visit to China and the information was used to hack into government computers. Even scarier, rumors abound that Chinese hackers have already attacked power grids and that they are developing a cyber-warfare capability.

The article's conclusion points to a just released Report of the CSIS Commission on Cybersecurity for the 44th Presidency. The study recommends that President Elect Obama establish a Cyber-Security Directorate in the NSC, who would direct a National Office for Cyberspace.

As a mere observer of all of this, I think President Elect Obama needs to take this report seriously. We need to remember (especially while a financial crisis is going on) that besides being a threat to National security, hacking also threatens our financial stability. Although this post points to the Chinese, they certainly aren't the only players in the International hacking game, and the problem it presents isn't going away. Sadly, some believe the problem is getting worse.

There is little doubt that change is needed in the way we address this problem and hopefully this is what will occur.

0 comments

Keeping an ID Theft Victim's Information Private is Catching On

Tom Fragala, CEO of Truston Identity Theft Services, started his MyTruston identity theft and recovery product based on the principle that he didn't believe an identity theft victim should have to give up their information to a third-party to protect themselves. After all, most of this information gets stored in a database, which is one of main places (besides trash cans) identity thieves go to steal information.

Information stored on databases is legitimately bought and sold by information brokers all the time. Criminals sometimes pose as having a legitimate interest to access the information. Of course, there have also been cases of dishonest employees selling it without a so-called legitimate purpose. This makes it extremely difficult to determine exactly where any stolen information originally came from. At this point in time, so much information has been stolen, we routinely hear about it being sold in chat rooms right over the Internet.

It didn't make sense to Tom to put all this information in another place, where it could potentially be compromised again. Databases have created an ability to store more information than ever before and transfer it with a click of a mouse.

Having been an identity theft victim himself, Tom had some rather personal feelings on the subject. It should also be mentioned that Tom has spent thousands of hours being a personal advocate for victims of this crime.

Since launching the do-it-yourself tool — where you don't have to be an expert to protect yourself or recover from identity theft — it has received numerous awards and become a hot topic within the technology industry itself. Besides not having to be an ID theft expert — you don't have to expose any of your personal information to a third party and the protection aspect is and always has been free. There is a charge for using the recovery tool, which can be cancelled anytime. I'll tell you a secret about that last statement, further down.

I discovered the latest news that the Truston concept is catching on when reading Tom's blog, which is well worth a read if you are interested in identity theft or privacy issues. "Today we announced that our MyTruston product has been included in the portfolio of the Affinion Security Center, the largest provider of identity protection and privacy services. Affinion has nearly 35 years of industry experience and over 65 million members of their many products. Clients of their identity protection and privacy products include Wells Fargo, Bank of America and The Hartford Insurance. Truston's Software-as-a-Service technology is deeply integrated within the Affinion Security Center’s core solution platform, IdentitySecure," according to Tom himself.

Just the day before, Truston also announced a partnership with CreditFYI, which is a one-stop shop for the best credit card rates, best loan rates, as well as, to learn how to protect your good name and credit rating.

Besides Affinion Group and CreditFYI, Truston is a private label partner with Identity Force, which provides identity theft protection services to the U.S. Government. Truston has been given a Four-Star rating by PC Magazine and has received several awards. "Truston's awards include a 2008 Product Innovation Award, a Hot Company 2008 Award, being selected for 10 Companies to Watch in 2008 by the Pacific Coast Business Times, the 2008 Tomorrow's Technology Today award, and it was identified as a leader by Javelin Strategy & Research in their December 2007 identity theft market report," according to the press releases.

If you are interested in just how user-friendly the tool is, the Truston site has a tour you can take.

I've also had the pleasure of speaking with Tom on several occasions and beta tested the tool myself before it rolled out. I've covered this in several blog posts on Tom and the MyTruston identity theft tool.

Now for the secret I promised earlier in the post. I mentioned that using the tool always has been and always will be free, but there is a nominal charge for using he recovery services. The secret is that if you go directly to the Truston site - you can use everything free for 45 days. Last, but not least, this free trial doesn't require you give them a credit card (which will get charged if you forget to cancel) until after the trial expires.

0 comments

Most Internet Scams Start with Spam

I'm sure we've all noticed spam levels are slightly down, or that our spam filters seem to be working a little better. Nevertheless, spam continues to get through filters and for the next few weeks, a lot of it will have a holiday theme. Due to the sour economic situation, it's also likely going to take advantage of financial fears or the promise of a rescue from an already bad situation.

Since most unfortunate situations involving fraud, phishing, and financial misdeeds on the Internet start with a spam e-mail, it pays to use a little common sense and caution before falling for a too good to be true, or sometimes scary e-mail from an unknown source.

Last week, Symantec issued its December 2008 State of Spam Report. It predicts that although spam volumes are down after a lot of providers blocked access to sites hosted by McColo.com, we will likely see them rise again. Spam levels dropped a reported 65 percent after this happened. "McColo.com was allegedly hosting a significant number of botnet command-and-control systems'" according to the report. The bad news is that the report indicates the bad guys are moving elsewhere and that a number of them are hosting their efforts from IP addresses in (where else) China.

Getting back to the holiday season, the report notes that spammers are mimicking marketing come-ons from legitimate retailers offering holiday shopping deals. This makes it hard to distinguish exactly who is behind the e-mail. Sometimes the line between legitimate and illegitimate becomes a little blurry, which is something spammers have always taken advantage of.

The report also reveals a lot of links leading to malware infected sites in spam e-mails are using political themes to draw in their victims. Items related to Barack Obama are especially popular with spammers and scammers. In another twist to using Obama's good name, one spam campaign offered a Barack Obama coin, "a piece of history for only $9.95 plus shipping." This was an attempt to steal debit and credit card information.

Hot news stories were also used as lures to download malicious software. In particular, the recent Mumbai terrorist attacks pointed to links designed to infect machines. Ironically, a lot of this malware is designed to turn a computer into what is referred to as a "zombie," which when used in a botnet is used to send out even more spam.

While we haven't seen the holiday season pass, spammers of the scammer type are already using the IRS name to steal personal and financial information. The pre-tax season phishing scheme mentioned in the Symantec Report involved a come-on designed to snare people by telling them they had a tax refund or economic stimulus payment due to them. The link in these e-mails went to fake IRS site(s) — complete with offical logos — designed to steal personal and financial information.

The IRS isn't alone when it comes to having their good name spoofed. Just this week the FBI reported that their name was being used (yet again) in a campaign involving a typical Nigerian 419 scam. If an intended victim got leery after initially responding — they were threatened with "official consequences" should they fail to turn over the required personal and financial information.

Fear or scaring a victim into submitting to a scam is nothing new. In fact, some of it is now being referred to as Scareware. Scareware most frequently surfaces as a fake message claiming your computer is infected. In then offers to fix the problem for a nominal amount of money. My guess is that malware might actually be downloaded on a system by clicking on one of these come-ons.

Since it's hard to pay in cash over the Internet, anyone who pays on this form of extortion might have their method of payment stolen, also. Symantec recently released another report showing how many personal and financial details are for sale (super-cheap) on the Internet.

Alex Eckelberry of Sunbelt Software and the popular Sunbelt Blog just posted a visual presentation of scareware examples on his Flickr account.

There is little doubt that spam and its intended purposes have made the electronic world somewhat of a "virtual minefield" at times. It pays to make your computer bullet-proof by using good state of the art software from a legitimate vendor, but even if you are protected in this manner, you also need to protect yourself from social engineering schemes designed to lure a person into doing something they are going to regret later.

The Anti Phishing Working Group offers sage advice (from a variety of reputable sources) to the average person on how to avoid becoming a victim. Interestingly enough, they also recently released a report that is rather ominous stating the the number of crimeware spreading URLs are at an all-time high. Crimeware is another name for malware when it has a pure criminal intent.

To close this post, I'll point to a amusing video Symantec did on the 12 Days of Christmas Spam. It's probably best to end on a lighter note on what has become a serious problem.

0 comments

Is the CheckFree Hack a New Information Theft Trend?

It was revealed earlier in the week that hackers had taken command and control of a free e-bill Web site called CheckFree.com. CheckFree offers their customers the ability to collect all their bills and pay them with a few clicks of a mouse.

CheckFree is one the larger companies in e-payment business and serves about 24.7 million customers. Given this, there is little doubt they have a large amount of personal and financial data passing through their site.

The hacking method appeared to be a little less than sophisticated. Someone stole the username and password to the site and put in changes that directed users to a page that installs malware on the user's machine. This was done by changing the address in CheckFree.com's domain name system (DNS) to redirect visitors to an Internet address in the Ukraine. Although CheckFree is still analyzing the malware, Brian Krebs at the Washington Post was able to quote Trend Micro as saying the malware was designed to steal user credentials.

The registrar, Network Solutions, was quick to claim there had been no breach of their system. At this point in the game — since no one knows or is saying -- my guess is that this statement probably means there was one that they don't know of at this time. Network Solutions did warn their customers about a phishing attack on their customers about a month ago. This has led to speculation that the credentials were stolen by information-stealing malware, or by social engineering (someone being tricked into giving them up).

The Washington Post story also mentions that U.S. Bank might have been affected by this attack, but isn't commenting. In a subsequent post in Security Fix (Washington Post), Brian Krebs noted that Internet security firm known as Internet Identity reported that 71 other domains were pointed at the Ukrainian domain in question during the attack.

Thus far, about 5,000 victims have been identified. As in the past, instances where identities were compromised are being offered free identity theft protection for their unfortunate circumstance.

I decided to look at the CheckFree site itself. The reason I did this is because whenever I see the word "free," especially in cyberspace, I've learned to be wary.

According to CheckFree.com, everything is free on their site except for fees charged for the use of credit cards and emergency (rush payments). On the site, they publish in bold phrases like "one easy," "secure location," "no charge," and "100% guarantee."

They even run an ad for FreeCreditReport.com on the main page of their site. Although I have to admit that the guitar dude FreeCreditReport.com uses on their ad is pleasing to the eye, the catch is that you automatically sign up for a service that charges you $14.95 a month. You can get around this by cancelling within the first seven days. If you read the fine print disclaimer on FreeCreditReport.com, it says, "ConsumerInfo.com, Inc. and FreeCreditReport.com are not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, you must go to http://www.annualcreditreport.com/." Most experts agree that a person can do the same thing these services offer for free and that most of them do not protect from all forms of identity theft.

I got a little off-track with the FreeCreditReport.com ad, but it amazes me how few people read the small print on guarantees. Because of this, I decided to check out some of the small print on the CheckFree site.

So far as the fraud guarantee — if you read the disclaimer — you have to notify them within two days of the transactions to limit your liability to $50.00. It's pretty unlikely that anyone falling for a fraud on a financial transaction is going to figure it out in two days.

It also guarantees payments will make it on time, as long as you send them within the time period specified in the service agreement. In looking at the service agreement, this is two days before the bill is due. Of course, they do offer rush payments for a fee.

So far as "secure location" statement, if hackers were able to get the admin username and password to their site, this assertion is, at the very best, questionable.

In a second post about this story in Security Fix (Washington Post), it brings up evidence that registrars have been identified by the cyber-criminal community as lucrative targets. This assertion is backed up by recent security studies on the security of domain registrars. This makes sense because some of these sites like CheckFree are a window to hundreds of financial institutions, protected by a single username and password.

I'm surprised no one has raised the question of whether or not the financial information — which presumably has to be stored for record keeping purposes — might have been compromised.

In my limited experience with domain registrars, I've run into some frustrating experiences when trying to report sites (sometimes laden with malware) that were set up for no other reason than to steal personal and financial information. I've found that if you want to get a quick response with some of them, you need to be persistent to the point of being a pest. Given that most fake sites are designed to only stay in operation for a short period of time before they move on, it's like playing a game of whack-a-mole. Because of these experiences, I'm not confident they will be quick to react to this new security challenge. Let's hope I'm wrong.

In the world where outsourcing and contracting have become the norm, it isn't surprising that financial institutions are using third-party platforms to perform financial transactions. Every time information is given to a third party, it makes protecting it more difficult. The reason for this is different standards for protecting information (especially when international borders are crossed) and the fact that back door access is being given to more and more people. In the end, it is human beings who come up with the schemes to steal, not computers.

Whether or not this becomes a trend or not probably depends on how financially lucrative this method of attack becomes for the hackers who did the dirty deed. Of course, if we learn from it and take immediate action, perhaps we can limit some of the damage that could occur. I guess time will be the best judge of that.

0 comments

How to Legally Buy Hot Merchandise

(Courtesy of PropertyRoom.com)

Auction sites like eBay and Craigslist are frequently criticized for the amount of stolen and counterfeit items being sold on their sites. Even worse, stories about their customers being scammed have become Internet folklore.

Now there is a site that openly advertises that it is selling stolen merchandise. Even better, when you buy hot merchandise off this site, you need not worry about the authorities showing up at your door in the wee hours of the morning with a search warrant. The reason for this is that the site is stocked by over 1500 Police Departments and is run by former law enforcement types.

The site, PropertyRoom.com is an e-version of the more traditional auctions held by Police departments to get rid of unclaimed stolen property. "With distribution and service centers nationwide, PropertyRoom.com specializes in the auction of stolen, seized, found and surplus goods and vehicles. Serving over 1,100 law enforcement agencies nationwide, we offer a fraud-free marketplace with superior customer support." according to the "about us" page on the site.

I decided to surf the site and it contains a wide array of goodies at cheaper prices than what I've seen being fenced (speculative) on other Internet auction sites. For instance, desktop computers being auctioned were being bid at well under $100, laptops were showing bids of $100 to $400 and iPods were being bid anywhere from about $16 to $150. Of course computers aren't the only items available on the site, which hawks all kinds of electronics, watches, jewelry, tools, cameras, cars and a host of other high theft items.

It is well known that criminals like to steal high value items that are easy to transport. They also tend to go after items that are popular and easy to sell (fence). If you are looking for popular items, this site is a good place to buy them at an almost too good to be true price, legally.

PropertyRoom.com also is in the fund raising business and will help charitable organizations raise money. All the costs of putting on the event are covered by PropertyRoom.com. I should also mention that some of the proceeds of the sales on the site help fund law enforcement agencies, who like the rest of us, are dealing with ever-dwindling financial resources.

They also maintain the only nationwide registry available to the general public for recovering lost or stolen goods. This service is completely free. You can register items that were stolen already, or your high value items that might be stolen at a later date. If they receive an item that matches what you have registered — your property will be returned to you. Try doing this at any of the other auction sites!

The Internet has opened new avenues for criminals to fence stolen merchandise. This has made it easier to sell stolen merchandise and there are many who believe that it contributes to the problem. The most recent survey by the National Retail Federation estimates that Organized

Retail Crime is a $30 billion a year issue. Their most most recent Organized Crime Survey showed that e-fencing on traditional auction sites has grown by six percent. In response to this, they are even pushing bills in Congress to force the auction sites to allow more access to law enforcement and retailers, who are attempting to shut down this activity.

Even the government has found some of their stolen merchandise available for sale on eBay and Craigslist.

Please remember this doesn't even take into account the billions of dollars of property stolen from ordinary people. It also doesn't take into account the ordinary people who are scammed on auction sites, either. I wouldn't worry about getting scammed on PropertyRoom.com — I'm pretty sure they cooperate with law enforcement to the fullest extent.

We all know money is tight this Christmas season and there are a lot of people trying to stretch their limited resources. PropertyRoom.com is a place where you can do it and be certain that you are not contributing to a growing problem.

0 comments